Gmail Phishing Attacks Could Dupe the Unwary

The security gurus over at Naked Security are warning gmail users about a phishing scam they have seen emailed around to gmail users recently. A phishing scam is one in which a user is tricked into entering account usernames, passwords, or other personal information into fields on compromised websites designed to look official. The usual format is something along the lines of a terse email, apparently from an official source such as Facebook, Microsoft, or Google, demanding a password change from a user and providing a link to do so. The link will lead to a page designed to mimic an official login page, but which will steal the information entered into the login fields. Less sophisticated phishing scams will simply implore the user to reply to the email with personal information.

The phishing email Naked Security is warning of appears as if it were sent from the “Google+ team.” The email supposedly confirms that the user’s recovery email address has been changed, and that if the user has not done this, they should follow a link that has the link-text of http://accounts.google.com and update their account. The last paragraph of the email is in a larger font and reads “However, Failure to do so may result in account suspension permanently.” [sic] That’s an odd statement, since the email also states at one point that if the user has, in fact, changed their recovery email address then they can disregard the email entirely.

It’s logical contradictions such as this, numerous grammar and punctuation errors, and the threat of “account suspension permanently” that gives away a phishing scam. Also, for those who are really paying attention, Google uses https for all of its sites now. Obviously, the link to the Google accounts page actually leads to a phishing site that will steal the user’s Google login credentials. And with Google services so intimately linked, that means the phisher would have access to the user’s Gmail, Google docs, Google+, and YouTube accounts, among others. An Android phone could also be compromised through Google Play.

It can be easy to fall for such a scam if users are in a hurry or aren’t paying attention. And Google isn’t the only company being spoofed, as some Apple customers have found out. Users who simply take some time and enter the URL for the websites they use manually should be safe. Also, Google users can add some extra protection to their accounts by turning on 2-step verification, which requires a code messaged to a user’s phone before logging in on a new computer.